about fuzz tab and the way to test XSS

[소순범]

Hi I'm a novice in ZAP.

I have 2 questions.

I really need your help. Please give me a hand.

1.

What does the 'fuzz' mean in ZAP ? 

At the first time, I thought that 'fuzz' tab has something to do with generating data 'randomly' to attack the site or choosing the data 'randomly' among predefined fuzzing data.

But, it seems that 'fuzz' tab has nothing to do with 'random'. 

Also, it seems that 'fuzz' tab has nothing to do with attacking the site.

What does the 'fuzz' tab mean and when should I use the 'fuzz' tab ?

2.

Does the ZAP provides the way to test other XSSs except for DOM XSS?

I have tested for OWASP benchmark set by using 'quick start' tab.

But I have never seen other XSS alert messages aside from DOM XSS. 

Regards,

Sunbeom 

[Simon Bennetts]

You're pretty much there - in ZAP fuzzing is "is a technique of submitting lots of invalid or unexpected data to a target".
This is explained in the help file that comes with ZAP which is also available online: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsFuzzConcepts
The Fuzzer tab also explains how it should be used:

To fuzz a request string:

• Select a request in one of the tabs that displays messages;
• Highlight one of the strings you wish to fuzz in the Request tab;
• Right click in the Request tab and select 'Fuzz...';
• The selected location will be added to the table of 'Fuzz Locations' and it's ready to accept payloads. After selecting the button 'Payloads...', a new dialogue is shown which allows to manage the payloads of the selected location;
• New 'Fuzz Locations' can be added be selecting the position or string in message shown at the left panels, once the location is chosen it can be added by pressing the 'Add...' button of the 'Fuzz Locations' table;
• More options are available in the 'Options' tab allowing to configure with more detail the fuzz process;
• Once at least one 'Fuzz Location' has been defined press the 'Start Fuzzer' button to start the fuzzing;
• The results will then be listed in this tab - select them to see the full requests and responses.
• It's also possible to open the 'Fuzzer' dialogue by selecting a message and choosing 'Attack' > 'Fuzz...'.

Does that help?

And yes, ZAP includes 'release' quality rules for detecting Reflected and Persistent XSSs: https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules#cross-site-scripting-reflected
As to why ZAP does show any of them in Benchmark - are there any?
Benchmark is (in my opinion) very 'idiosyncratic' (ie its got its own way of doing things) and at the moment not a particularly good way of testing scanners. Wavsep (https://github.com/sectooladdict/wavsep) tests for a wider set of vulnerabilities.
However we're always looking to improve the ZAP scanner and will be looking at the Benchmark results again at some point. If you can point out some specific vulnerabilities you think ZAP should have found then that would be a great help :)

Many thanks,

Simon

[소순범]

I really appreciate your help.

But still I'm wondering some points.

3.

From fuzzer results, how can I know whether the page has XSS vulnerability or not ?

Using XSS attack data files predefined in ZAP, I can see the result "Reflected" at some points, but I don't know what the next step is.

https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsFuzzTab

I have read contents above, but "Reflected" doesn't mean "The page has XSS vulnerability" . 

"Reflected" just means "the injected string was found in the response body" .

To know whether it has the vulnerability or not, what thing do I have to do more?

4.

I wonder whether 'Active scan' is the set of fuzzing by predefined attack files or not.

(Ofcourse, except for wandering url, etc... I mean just for attacking pages)

5. 

Is it okay to understand 'fuzz' as attacking a web page at specific parameters(strings highlighted)? 

Thank you,

Sunbeom

2016년 1월 19일 화요일 오후 7시 49분 10초 UTC+9, Simon Bennetts 님의 말:

[Simon Bennetts]

No problem, thats what this forum is for :)

If we can automatically tell if an application is vulnerable to specific vulnerabilities then we write active or passive scan rules to detect those issues.
For example we have rules to detect reflected, persistent and DOM XSS's.

Fuzzing is a manual process. Its there for vulnerabilities that the automated tests cant (or dont) find.
The fuzzer makes it easy to attack specific fields (or any parts of a request) with a wide range of built in attack vectors, and provides lots of ways to manipulate those attack vectors in order to target the specific application you are testing.
But its still manual - ZAP will perform the attacks but you need to determine if the attacks were successful.
The fuzzer provides as much information as it can, including if the attack vector was reflected in the response, but in the end you have to decide if an application is vulnerable or not.
Its worth noting that all automated tools (including the ZAP active and passive scanners) can report false positives, so you should always manually double check any results they report.

Every active scan rule works differently, as they are trying to find different vulnerabilities.
We try to document how they work in the help pages, but some are better documented than others ;)

• https://github.com/zaproxy/zap-core-help/wiki/HelpAddonsAscanrulesAscanrules
• https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesBetaAscanbeta
• https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAscanrulesAlphaAscanalpha

To see exactly how they work you'll need to look at the code ;)

The Hacking ZAP series can help as well: https://github.com/zaproxy/zaproxy/wiki/Development

Cheers,

Simon

[소순범]

Thank you so much :)

If I get another question, I'll ask here.

Thank you again,

Sunbeom

2016년 1월 20일 수요일 오후 7시 6분 17초 UTC+9, Simon Bennetts 님의 말: